DKIM record checker.
Enter your domain. Optionally enter the DKIM selector your mail provider gave you. We look up the public key at selector._domainkey.your-domain and show the raw record. Leave the selector blank to auto-probe the six common defaults.
Cryptographic proof the message is real.
DKIM signs outbound mail with a private key. Receivers fetch the public half from your DNS and verify the signature. If the message has been tampered with in transit — or did not come from an authorised sender — the signature fails.
One key per selector
Your provider holds the private half and rotates it on a schedule. Different selectors let you run multiple senders or swap keys without breaking deliverability.
Survives most forwarding
Unlike SPF, DKIM signatures survive most forwarding paths because they bind to the message itself, not the sending IP. That makes DKIM the more reliable signal for DMARC alignment.
Breaks on body edits
Anything that modifies the signed headers or body — some mailing-list footers, certain anti-virus rewrites — will break DKIM. The fix is to sign the right headers from the start.
p= empty means revoked
A DKIM record with an empty public-key tag is a deliberate revocation. Your provider published it so receivers stop trusting old signatures while you rotate to a new selector.
DKIM is one of about thirty external checks.
AttackEdge Monitoring re-runs DKIM and the rest of your DNS, mail and web posture on a recurring schedule. Plain-English findings, IT-ready fixes, monthly PDF.
Setup in 60 seconds · Cancel anytime
DKIM, in plain English.
- DKIM keys live at a per-selector subdomain (selectorname._domainkey.example.com), not at the apex. The selector lets a domain rotate keys or run multiple senders side by side. To find a record we either need the selector name or have to guess common ones.